CVE-2026-39323

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. This vulnerability is fixed in 7.1.0.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vmfg-c69g-m8p8